Kerberos 5 Release 1.13.7

The MIT Kerberos Team announces the availability of the
krb5-1.13.7 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.

You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.13.7 (2016-09-15)

This is a bug fix release. The krb5-1.13 release series is
near the end of its maintenance period, and krb5-1.13.7 will
probably be the final release of this series. For new
deployments, installers should prefer the krb5-1.14 release
series or later.

Fix some rare btree data corruption bugs

Fix numerous minor memory leaks

Improve portability (Linux-ppc64el, FreeBSD)

Improve some error messages

Improve documentation

Major changes in 1.13.6 (2016-07-25)

This is a bug fix release. The krb5-1.13 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.14 release series or later.

Improve some error messages

Improve documentation

Allow a principal with nonexistent policy to bypass the
minimum password lifetime check, consistent with other aspects
of nonexistent policies

Fix a rare KDC denial of service vulnerability when
anonymous client principals are restricted to obtaining TGTs
only [CVE-2016-3120]

Major changes in 1.13.5 (2016-04-18)

This is a bug fix release. The krb5-1.13 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.14 release series or later.

Fix a moderate-severity vulnerability in the LDAP KDC back
end that could be exploited by a privileged kadmin user
[CVE-2016-3119]

Major changes in 1.13.4 (2016-03-07)

This is a bug fix release. The krb5-1.13 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.14 release series or later.